Assume Breach, Build Trust: Zero Trust Lessons from STCU

Raghu N  00:12

So welcome back to The Segment. I'm your host, Raghu Nandakumara, and today it gives me great pleasure to introduce Greg Mitchell from Spokane Teachers Credit Union. He's a leader driving innovation and resilience from the inside out, working at the intersection of applications and infrastructure, helping STCU modernize and secure its core systems, from streamlining operations to leading segmentation efforts. He's been instrumental in showing how lean teams could take on big security challenges and win. Greg, it's incredible to have you on The Segment. Welcome!

Greg Mitchell  00:42

Thank you. Thank you very much. Glad to be here.

Raghu N  00:45

It's always exciting to speak to a practitioner, and particularly someone who's much closer to sort of the application teams. So, really, the folks who are kind of running those critical applications that we're trying to protect, we'll, of course, get onto all of that. But Greg, it's always great to hear about your background and how you got to what you're doing now. So, the floor is yours.

Greg Mitchell  01:07

Thank you. I've been working here at STCU for about six years now, or coming up on six years. I currently manage the Application Administration team here, which is a team of five folks, and we're kind of partnered with the IT Engineering team on the other side of the wall there. Previously, I worked in public education. I was a system administrator at a local school district here for a couple of years, and then went on to be a supervisor of technology at another school district, and wanted to get back into the private sector. And STCU was a place I really had wanted to work for a while, and kind of found my in. It meant I had to go back and actually be an application administrator. Eventually, through some growth and learning from some great leaders, I had the opportunity to step into a leadership role here, and have enjoyed every bit of it. So, here we are leading technology across the financial institution front.  

Raghu N  02:01

Love to hear it. So, it sounds like, particularly that time in the public sector, you're probably you have that unique perspective of like organizations which are potentially on different sides of the funding and resourcing challenge. So, do you see sort of vast differences between how you've had to run your teams and prioritize in the public sector versus where you work today?  

Greg Mitchell  02:25

Yeah, I think it's a little challenging in the public sector, just because when you talk about dollars and cents, everybody kind of wants their piece of the pie. And those allocations come from the state, of course, based on FTE head count of individuals who attend those schools. And so, it can be a challenge trying to get, you know, funding for different applications, for different security protocols, those kinds of things. So, it's a constant fight, or battle, if you will, at the administration level to make sure that it has the proper allocation. So, that's been a big difference joining STCU. Here they're very cognizant of IT and how we need to back that. And so there's lots of leadership efforts at the C-suite level, you know, the VP level, all the way down to directors and managers around supporting it and advancing technology, especially when you're talking about cybersecurity and making sure that member data, personal information, PII, all that stuff is protected, and so really, you need to pay a whole lot more attention to that because of the fact that we are talking about people's financial information. So, yeah, definitely a very different landscape coming from public to private.

Raghu N  03:35

Let's talk about your role today. So, on the podcast, we've had many, many security leaders and security practitioners from sort of CISOs and CSOs all the way to threat hunters and those who are sort of deep in the day-to-day practitioner mindset, right? But yours is kind of a very much unique perspective and persona that I don't think we've had on the podcast before. It's someone who's embedded in the application teams from an application owner’s perspective. Where do you place security in the context of your other priorities in terms of running and building that application?

Greg Mitchell  04:14

Yeah, obviously there are regulations we have to meet from a financial institution standpoint, and it's easy to say that from the CISO all the way through the cybersecurity teams and the individuals who are building out the firewall, managing all of that, it's easy to isolate that and say, you know, “Hey, we've got our security team over here that is responsible for making sure nobody gets in. The appropriate people can get out and do what they need to.” And I think the landscape has changed over the past five to 10 years, maybe even before that. There's more of a need to isolate and protect applications as a whole. And where does that reside? It resides on the applications team, because they're the most familiar with those applications. How they talk amongst the servers, you know, the back end, infrastructure, and you know, security becomes more of this ideology that all teams should be cognizant of. And when you kind of start wrapping your head around that perspective, it's easy to think about the firewall. It's protecting us from external threats, you still want to be protected internally, because ultimately, you kind of want to assume that you're going to have some kind of a breach. It's the best way to approach setting up your standards and configuring things to just protect against that. So, as we look at building out our applications, we're obviously, like I said, meeting regulatory requirements, but at the same time, how much more can you do? You know, it's not about just checking the boxes and making sure you're good with auditors and compliance, but it's how much, what further can you do to protect your environment, especially laterally? I think it's, you know, the misconception is you just want to protect people from getting in, but if somebody does get in, how can you stop them from laterally moving across your network. And that's where Zero Trust segmentation really comes into play.

Raghu N  06:05

I mean, I think you encapsulated that brilliantly. I couldn't have thought of better words myself, right? And I love sort of the contextualizing in terms of that whole, the needing to adopt that assume breach mindset, right? But also, I thought what was really interesting is how you frame, yes, you work for an organization that's part of a highly regulated industry, so there's kind of a minimum level of sort of security you need to have in place in order to meet compliance requirements. But that should be almost the baseline rather than the ambition, right? So, it's like, what else can I do? What else can I do beyond that? That mind shift about application owners, really, I guess, immersing themselves and buying into that security mindset. Is that a shift you've seen in the timeline of your current role, or is that a shift that's been happening for a much longer time period?  

Greg Mitchell  07:01

I think it was a shift that happened a little bit before my time in my current role. We adopted Illumio, it’s the platform we use for Zero Trust segmentation. You know, we had purchased that application, I want to say back in 2021, 2022 ballpark, and with the mindset and approach that you do want to do some frame of ring fencing your applications. But it wasn't until I stepped into this role, and working with our director here, that we decided, okay, we actually need to do something with this. It's, you know, it's nice to speak to a vendor and say, Okay, we've got this nice tool that can do these cool things and really set us up in a much better security posture. But then it was time to take action. You know, post-COVID was goofy for anybody and everybody, in the sense that lots of things were moving, you had to be pretty nimble around what you did. And so honestly, it kind of sat for a little bit. And then there was a time where our director said, “We need to give this some more attention.” So, it rose up to dominance and priority, I would say, about a year and a half ago. I've been in this role two years now, and so in the first six months, it was a conversation around how we can take this and run with it and actually get something in place that makes sense for our organization and build out a heightened sense of security.

Raghu N  08:22

As a security vendor, we always love hearing how the problem that we are specifically solving raises up the priority list at a customer or a prospect. But I'd like to understand, like, how or why did it go up the priority list? Because, like, I'm a security practitioner, right? There are lots of things that you want to go and address. So, why solve this problem? And why now?  

Greg Mitchell  08:46

I think really, it comes down to the leadership and kind of the strategic direction, or the strategic initiatives that are set from the director level, the VP level, or whatever the organization might look like. And so my hat's off to our director here. Just having kind of the foresight to see this and the need for this, and really pushing that narrative, that conversation with the other leaders, to say, “Hey, this is important, we need to pay attention to this and give it some priority.” So honestly, it starts at the leadership and when you start to get that buy-in to implement something like this, it’s when your leaders are saying that it becomes a priority for the next person to work on implementing it. So, honestly, leadership buy-in is where it's at.  

Raghu N  09:34

Totally! I think, and that's what we find with so many customers, is that the ones who, like yourselves, are making really strong progress with adoption. All of them have that as one of the commonalities, right, is that there is strong leadership buy-in, but also actually strong buy-in from the other stakeholders, like the application owners. So, everyone is united and saying, “Yeah, I get why we need to do this. I’m bought into it, let's go,” versus almost having to convince, like, okay, convince the first person, and then they get on board, and then you've got to convince the second person, again, from scratch, right? And then, of course, slows things down, which is, that's, like, it's, I think that's just really great advice for our listeners thinking, how do I accelerate here? But again, like, let's talk about your organization, because you're not sort of those multi-national, global banks, right, which have hundreds of 1000s of employees and have huge security teams and have, in fact, potentially have huge teams that are focused on each security domain. How are you balancing this progress with improving your security capability and sort of adopting, and, in our case, segmentation. How are you doing that while also ensuring that you're not compromising things like your productivity, right? Your business productivity, etc.? Because I'm sure that that's kind of a fine balance that you're always trying to meet.  

Greg Mitchell  11:01

As the need for this rose in its priority, I kind of, you know, you kind of look at it from the lens of this is just as important as the progress toward the business initiatives, the technology initiatives. You kind of have to put a little bit of a tag or an earmark on it to say this is equivalent in importance and priority and almost treated as if it was a business of an initiative. And so as we look throughout the year, we have quarterly project check-ins to make sure that all the IT teams are aligned. And there's great conversation that takes place every three months around you know who's doing what? And you talk about a little bit more futuristic approach of saying, hey, here's what we've got coming up. And as long as you have your leader buy in on that, you can kind of treat it like it's just as important as those business initiatives and expanding the IT landscape. So, ultimately, for us. I think we just kind of changed the lens a little bit that we were looking through to say, this is just as important as those. So, I think that's how we kind of got a good grasp on it and said, let's move forward with this. So, it became like another project, another application, we were onboarding, another initiative to expand some of those applications. It was, it became just as important.

Raghu N  12:21

Greg, I think that's it's really refreshing to hear that. The way you express that. Because so often what we hear is, okay, security needs to support the business objectives. Business objectives always from security objectives. And security should be seen to be like that enabler, right? But the way you phrase it is this is just as important as the business objective. So, we treat it as a business priority rather than a security priority, which then allows all of the justification, all of the support, etc., to be much more free-flowing.  

Greg Mitchell  12:56

Absolutely. And when you start to frame it a little bit more in that sense, you start to get buy-off from other leaders who aren't in technology. I think the best way to do that is just providing analogies where people can kind of connect those dots. And so if you think about your house, you know, the firewall is the front door. If you're letting somebody in the front door, do you want them to get to all your bedrooms? Do you want them to get to the closets, the basement, the second story, you know, those kinds of things. So, ultimately, you want to stop somebody right there at the foyer and either turn them around and get them out. And so it's analogies like that. I also kind of think of Zero Trust segmentation, kind of like multi-factor authentication, right? You have your logins, you have your passwords that get you into things, but then you've got another layer of protection that says, okay, verify it is you are who you say you are. Give us the code we sent to your phone. Well, that's not how this happens. It's just, I kind of use multi-factor authentication as kind of that analogy as well, to say this is just another line of defense or security that we have in place to protect ourselves.  

Raghu N  13:59

That's brilliant, right? That's a really good point to drive home, because it's kind of like the identity and authentication side of things is where people are much more sort of familiar, because it's kind of things that they interact with directly. So, it's like, I can touch it, I can see it, I can see MFA. So, I need to go and visibly show that I've deployed that, whereas something like microsegmentation, Zero Trust segmentation, which is behind the scenes. Sometimes it's like it almost gets forgotten. And I think where you express that is that if you're prioritizing MFA, what segmentation does is equivalent of what my MFA does, but obviously in a different context, and which is why it's super important. I think that that's just brilliant. And in your analogy of sort of Zero Trust, and in the concept of like a building with locks on the front, but then locks, etc., and sensors throughout, again, right? A great analogy to help people connect with this. So, again, going back to sort of the like smaller organizations, right, just having to do more with less from a resources perspective. I mean, this is a great success story you've told us, but what are the challenges to get there?

Greg Mitchell  15:04

It's intimidating when you bring on something as large as an initiative to implement Zero Trust segmentation, because everybody expects to have the kind of the security in place from a firewall perspective, or some level of protection from the outside. And when we brought in Illumio, it’s kind of like, wow, this, you know, it's a big tool. It can do lots of things, but we are talking about potentially blocking or hindering people's ability to work laterally through some different things. And so when I started doing a little bit more research around Zero Trust segmentation, couple years back, several years back, before actually getting into this, one of the recommendations I had read was, you know, start with your most critical applications and go after those and protect yourself immediately. And I don't know if I really agree with that, because in order to implement something so big and so changing in an organization, you want to have small wins. You want to have small implementations. And so start with some of your smaller applications. Get stakeholders to kind of understand why we're doing this, what we're doing, and work closely with them after implementation to be able to make sure that you're not affecting what they're doing on a day-to-day basis. And so what we did as a team here was we obviously divided up all the work, the applications, based on kind of size and priority. And we started with some of the smaller ones. Maybe there's only two servers, maybe there's only one, there's only a handful. I mean, we do have some applications that have, you know, upwards to 20-30 servers supporting that back end. I didn't want to, you know, we didn't want to start with those, because the effect that it could have from a brand new application that we're still learning and understanding could be frustrating, and you start to see that, oh, this is difficult, and it's easy to say, we can't do this. On the contrary, why don't we start with something small, with a very small team, protect their stuff, build out a playbook, gain some confidence in what you're trying to do. So, maybe an unpopular opinion, but I just thought it's best to have some quick wins and work with the team to get familiarity with that application and understand its nuances, its ins and outs. And it's also easier that if you make mistakes and you block some things that need to be unblocked, it's easier to go in there and make adjustments with a smaller group of people and then build yourself up to those, those larger applications, the more servers you have on some of those back ends. So, that's kind of how we approached it. I mean, we're at a 90% enforcement right now for Zero Trust, looking to kind of capture that last 8-10% I don't know if we'll ever be 100% because you always have servers coming in. You always have servers leading and so again, you got to kind of be nimble with some of that. But my hope is that we can kind of get to a 96-98% of enforcement understanding that we have stuff moving. So, kind of how I see it and how we approached it.

Raghu N  18:08

90%+ enforcement is the kind of stats to dream of. I think there are, forget application owners, leaders globally. I think there are security leaders who would bite your hand off? Give me that, give me that every day. In fact, Greg, can you come into my organization? Show my lot how to do this. That's amazing! And the approach you spoke about, right? And I think if I were to summarize it, it's really about, rather than giving them reasons to say no, it's how can I make it as palatable, so that I'm only giving them reasons to say yes. To make, to make progress and to adopt, but also, as you said, building in the safety nets so that even if you hit because no technology is as much as we'd want it to be. And particularly where you are going, where you're actually putting in place a restrictive technology. You're putting in place controls that will that it's almost impossible to do that without maybe the odd thing not working as expected. But I think the advice is, is that build the safety net so that if that happens, plan for it and say, Okay, well, if it happens, this is how we're going to react to it, so that we can move forward quickly, versus a oh no, something didn't work. Let's take two steps back. Sure, which, which? I think again, right? I think that's really important for anyone who's adopting these type of capabilities to really listen to and take on board. Because again, this is where our kind of general reticence to take that step forward, because of, Oh, what if X happens? What if Y happens? What if that happens? We just kind of need to, need to sort of say, well, you know what they might happen. But here's how we'll deal with those, with those scenarios. Interestingly, to counter to your example is, as the we've also got, we have customers who kind of take the. Plunged with their most, riskiest, most complex application. Because often, like, from a regulatory perspective, that's the ones that the regulators, they need to protect. And their theory on this is almost the inverse. It's like, well, if I can do it for this application, then I can go to all my other application owners and say, “Hey, I've done it for the baddest, most complex infrastructure that we've got. There is no reason for you to push back because I've already had all the wounds and I've survived effectively.” But I think it's great advice that you provided.  

Greg Mitchell  20:38

Yeah, absolutely, kind of a snowball effect, almost, you know, start with your smallest get those quick wins, get the mentality, get the playbook in place. And then as you ramp up towards those complex, larger applications, it becomes a little easier. You can adapt as you run into walls a whole lot better than you could if you took that on it start and, you know, hats off to the application admins doing this, because, honestly, they're doing all the hard work. They're jumping in there. They're analyzing the traffic. They're trying to, you know, they're figuring out what can be blocked, what shouldn't be blocked. And, you know, in some cases, with some of our applications we started with, you know, some of the risky stuff, you know, you may be enforcing an application into zero segmentation at, say, like a 40% risk exposure. You know, ideally you want to get up in the 90s for that stuff. But, you know, every, every little thing it can attribute to some form of success. So, if we are 40% protected in this application, well, guess what? That's better than being 100% exposed. So, just things like that.  

Raghu N  21:42

Yeah, and I think that's, that's a great I think that's a really important point, because it's obviously we, we often strive to being perfect. And like, it's almost like, okay, we're going to do this. Let's kind of, let's go all the way, and let's, let's essentially get to 100 but again, I think it's achieving those small wins, because each win is improving your security posture by some measurable quanta. And those add up if you keep doing it, those add up over time, versus trying to make this big jump, failing and not having, not being any better than you were when you before you started.  

Greg Mitchell  22:18

Absolutely. Yeah, it's funny, you talk about, you know, we've reached this 90% which is a pretty great metric to hit. And I'm very proud of the team for getting there, and we're going to continue pushing. But, you know, just last week, I was asked by our VP, saying, “Okay, we're at 90% what can get us to 100%? How can we, how can we keep pushing?” And it's like we're getting there. We, you know, there's stragglers. We have some applications that are new since we started fitness that we have to get used to and understand and work on. And so for us, right now, it's just we're doing two things. We're looking at that last 10%, coming up with a way to tackle that and see how far we can get there. And then also, we're partnering with Illumio there to try and figure out what some of the gotchas are that you guys have observed in your other clients, and how we can work around some of those? How can we get better standards in place? How can we go, you know, we're here, but how can we get even better and so Help, help us to understand some manipulations we can make in the software. Help us to identify some risky ports we may be allowing and how we can address some of those. So, it's honestly, it's not one of those things that you bring in, you set up, you build it, you enforce it, and then you put it on the side and just run it. It's constant. It's constantly revisiting that application and saying, okay, what more can we do? Because there's always more you can do. You know, scammers are always trying to find different ways. Vulnerability is a very real thing. It's changing every day. Our cybersecurity team is constantly looking at what's next, what else is being reported out there as attacks and things like that.  

Raghu N  23:55

Absolutely. It’s basically a lifestyle choice, really. So, I kind of like taking it back to the application owners, right? So, it's great that they're kind of, they're bought into this, and they're putting in the effort they need to improve the security posture of their applications. So, and there's, and we've already spoken a bit about the security benefits that you're realizing. What other benefits are your application owners seeing as they adopt as they come on this journey, as they engage? What are the other benefits that they that they see and they really enjoy.  

Greg Mitchell  24:29

While we didn’t expect it to kind of come to fruition, one of the things that's really helped in moving this forward is the partnerships you build, the relationships you build with the departments, the other teams. And you know, we're not trying to do this behind closed doors. We want, you know, you want everybody to be aware of what's taking place. And so we had quite a bit of conversation early on around, okay, how can we, how can we build a relationship with teams? You might know you're going. To struggle enforcing some of their stuff on where they're used to doing whatever they want. How can we, how can we break down that barrier? And so we implemented a for this. We implemented a change control process that said, Hey, we're going to go enforce Illumio on this bank of servers or this application. And through that change control process that we there were, there were notifications that were sent out to those teams and those people, and oftentimes they'd come back to us with questions. They'd chat with us about it. And we even found that there was an opportunity to educate some of the other teams around. Here's how you access the platform. Here's how you can you know you have view access. You know if you want to see you're getting blocked or you might be having a problem. Here's how you do that. And so we also had opportunities to train other teams on how to navigate through Illumio and kind of, do you know, some level of self service before just raising up the hands and saying, Oh, we're getting blocked. We need help. And so I think the biggest benefit we found is just a little bit more relationship building amongst peers in supporting their applications, but also talking about how we're implementing some form of security around that as well. So, could I have told you that was something that was going to happen when we first started this project? No. It's just something that naturally came of it. So, relationship building is probably the biggest one. That's a little bit outside of the IT lens, but I'd say that was the biggest benefit we've seen as we worked through this.  

Raghu N  26:24

I think maybe we should add that some of that, one of our we should make it a marketing slogan, segmentation of Illumio, bringing people and teams together. Or the employee community you didn't know you needed. Just expanding, sort of the like, we've spent quite a bit of time talking about segmentation, best practices, getting to success, etc. Let's kind of zoom out a bit right, and you spoke really, sort of at the top, really about like, adopting assume, assume breach mindset, right? And tied to that is, of course, kind of building better cyber resilience. But so for an organization of your size with the resources that you have, what does sort of cyber resilience look like? How do you perceive and measure cyber resilience?  

Greg Mitchell  27:17

Disaster recovery, disaster recovery, disaster recovery. I think again, it is a, it is a regulatory requirement to be able to prove that you can recover from disaster. But team here, not my team specifically, but the cybersecurity team, the compliance team, all of that, we've adopted a an approach that is yearly, we will perform disaster recovery practices against all these applications, against everything we have, you know, and again, many, much of that is regulatory, but we've even adopted a kind of a quarterly disaster recovery event. And so what we do is we actually spend some time all huddling in a room where somebody will come in, one of the leaders will come in and say, “Hey, here's, here's the scenario we're playing out today.” You know, our headquarters building was caught fire, kind of a thing. The network room went down, or whatever it might be. We actually performed some level of practice around approaching disaster recovery. And so, you're assuming that breach will happen. It's nice to talk about, but what, what are you doing to actually practice that? And so, yeah, we do a level of practice in a, what we would call a kind of a concept of a disaster, and have lots of good conversation there. And we’ve had lots of great conversation that comes with that, you're going to find gaps in that, and you know, you take note of that, and you go back to the drawing board and figure out how you can fill those gaps. So, we do quite a bit of testing and putting out some disaster recovery scenarios. So, I think that's how it's not the fun stuff to do, right? That's the kind of side of IT that nobody really wants to pay attention to or enjoys that, but it is important. So, it's definitely something that is in our yearly to-do list.  

Raghu N  29:09

Yeah, but, but I think the, I think disaster recovery is interesting when you, when you truly sort of model like a real world situation, right? You kind of, you gamify it a bit, and you make it realistic versus what historically were disaster recovery tests would be Okay, folks, right? On the third Saturday of June, we are going to do the disaster recovery. Which, of course, that's exactly how a disaster works, right? It tells you when it's going to happen, it tells you what's going to happen, and then you plan for it. No, it's got to be realistic. So, yeah, I think that's far more… and a disaster doesn't have to be a cyberattack. It could be a natural disaster. It could be something happening to a to a building. And I often say that a well executed cyberattack will be very difficult to differentiate. From a misconfiguration which has caused unexpected impact. So, this is all kind of needs to be worked into your test plans and how you respond and recover.

Greg Mitchell  30:11

And every year we also go through like a penetration test, we do bring in a third party to hit things with a hammer and see what they can do. And this last year we had it. I want to say it was back in September, October timeframe, and that was when we were probably around a 70% enforcement, 65% enforcement. And while we don't really have data to back this up, I would say that with the enforcement of Zero Trust segmentation, there was probably a lot less that our pen testers could get to or see, because we have this in place than the previous year. The results were, results are pretty good for an organization of our size, so definitely something we still have our eye on.

Raghu N  30:54

Well, hey, security is all about qualitative measures, so we'll take pretty good and we'll take good as a good measure of success, right? I think this conversation is fascinating. I'm getting so much Greg from our discussion here. What's a common misconception, whether it's vendors or even organizations, have when their team is very lean? I think

Greg Mitchell  31:14

one of the biggest things you know, you don't have to break the bank. You don't have to pay for the latest and greatest application or software to be able to do this. A lot of it is, you know, analyzing what you currently have and what its capabilities are. It's easy for me to think that we're a large organization. We are, I mean, we're one of the larger credit unions in the Pacific Northwest here, but when you compare that to the likes of other enterprise organizations. We are kind of a lean team. We are kind of small when you when you think about that. And so it took me a little bit to get over this mentality that we are big. We have a big and robust IT team, but in the grand scheme of things, we're not as large as others out there. And so as I kind of reflected a little bit about our approach, to this, I started to have, I needed to have the mentality that we were a lean team. We are a smaller organization adopting something like this. And so, I think the biggest thing was, you know, we didn't have to break the bank to find an application that was hundreds of thousands of dollars to do this. You know, we even cybersecurity in general, if you've got a firewall, you can do something. If you've got some form of Zero Trust that can be implemented, you've got something in place. I think the hardest thing for smaller organizations is, you know, when you're talking about IT staff and staffing those positions, the smaller you are, the more hats those people wear. And so you might have two or three people who are involved in the networking, involved in the server infrastructure, involved in the cyber and so, you know, how do you take a deep dive into something as important as this? It becomes a little bit more difficult, but I think at the same time, it depends on leadership, and where you get that buy off of pushing forward with something like this. So, Zero Trust is a mindset. And it's adopting that as well as just protecting from things externally.  

Raghu N  33:13

So brilliantly expressed, right? It's because it's really with, with Lean teams. You don't have necessarily specialist teams. You have a lot of generalist teams wearing multiple hats and but it's also you're thinking, okay, what can I do with what I have? So, what's the opportunity there? I want to make progress, and I have this technology already, environment, let's say, and I think if I do this, then we're going to make progress, and we're not spending more because we've already bought it. Then it's about getting the buy in. And you've kind of spoken about how you build that faith in the process so that everyone comes along. I think that that's a fantastic learning for sort of, for listeners, for any organization’s takeaway. So, as we wrap up and you look forward, what are you excited about, in terms of, like, whether it's technology, whether it's opportunities that arise, etc. Like, what are you excited about?  

Greg Mitchell  34:03

Yeah, I think there is the writing on the wall for us right now says, you know, as we move a little bit more cloud based, we need to start taking a look at how we can protect from the cloud endpoints. A lot of what we've done right now is just your, I mean, they're not physical, but your virtual servers that are in house, done a lot of Zero Trust around that. That's what all of our efforts have been. But we are an organization that's looking a little towards the cloud as we operate, and so we're having some early conversations with Illumio around what that looks like, the tool sets that are there, and we're including our engineering team. You have to have the individuals who are responsible for designing and architecting that cloud infrastructure involved in this. And so I would say for us next, it's analyzing that, and I think we even have, you know, some conversation here at the end of the year, with Illumio to dive a little bit more into what does that look like. How can this play out in our environment? And how can we shift from. From just those physical machines in-house to also expanding in our Azure platform as well. That's probably the biggest thing, you know. And like I said, we're constantly adding servers and bolstering our back end, so it's just repetition. So, we're just jumping in there and doing what we need to do and adding the Zero Trust where we need to add it.

Raghu N  35:21

Well, Greg, we're super excited, of course, to be on this proverbial journey with you. And if there's one thing I'm going to take away from this conversation with yourself, is what is achievable when you bring everyone along for the ride, when you get all the right engagement from all the key stakeholders, the ability to, almost like move in unison and make progress that results in some incredible benefits that you're already sort of seeing from a risk reduction perspective. So, I really appreciate the conversation today, Greg. And amazingly, we've been able to have this entire conversation on cyber, on technology, without mentioning AI once.  

Greg Mitchell  36:04

That doesn't happen too often anymore. It's a whole other ball of wax. You know, we could dive into, but AI is very we're very cognizant as an organization around AI, how it affects all the way from how it can improve your member experience down to how AI can be used against cyber threats and things like that. So, those are, those are all conversations and topics that that get brought to light as we look at our strategic initiatives, and our CISO and cyber team are definitely very aware of that, and it's conversation for another time, I suppose.  

Raghu N  36:40

Absolutely for when you when you're back on the podcast, right for our sort of our episode 2 with Greg. Greg, thank you. Thank you so much. And appreciate your time and your customer, of course.  

Greg Mitchell  36:52

Thank you absolutely. Thank you for having me. Appreciate it.  

Raghu N  36:56

Thanks for tuning in to this week's episode of the segment. For even more information and Zero Trust resources. Check out our website at illumio.com you can also connect with us on LinkedIn and Twitter at Illumio, and if you like today's conversation, you can find our other episodes wherever you get your podcasts. I'm your host, Raghu Nandakumara, and we'll be back soon. You.

‍